Third-Party Risk Management Industry with Brad Hibbert
Innovation in Compliance with Tom Fox
English - June 07, 2022 04:01 - 20 minutes - ★★★★ - 16 ratingsCareers Business Education Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Brad Hibbert is the Chief Strategy Officer and Chief Operations Officer at Prevalent Inc., a company specializing in eliminating security and compliance exposures tied to third-party vendors and suppliers. Tom Fox welcomes Brad back to this week’s show to explore and discuss a study Prevalent recently released entitled, “The 2022 Third-Party Risk Management Industry Study”.
Third-Party Risk Management Industry Survey
Brad reveals that Prevalent Inc. has been working on the “Third-Party Risk Management Survey” for approximately three years. To gather data on the subject, they send the survey to thousands of professionals who are focused on third-party risk management, and who also have a background in security. When the results come in they are categorized, analyzed, and observed for any trends. Tom asks Brad what was the overall assessment of third-party risk management he determined from the survey. “I think third-party risk management is certainly getting more awareness within companies and within executive teams within companies,” Brad replied. He also noticed that both IT and non-IT risks are major concerns for the respondents.
Key Observations About the State of Third-Party Management Risk Today
Tom asks Brad to further analyze and discuss the key findings of the survey. These are the key observations:
“Organizations are paying more attention to non-IT security risks but not enough.” Brad explains that programs involved in investigating IT threats are starting to acknowledge the non-IT threats as well. He says “It is no longer just about IT vendors, so organizations are trying to get a broader visibility across that broader supply chain of IT vendors and non-IT vendors, and they're also trying to get a broader visibility of the types of risks that they're looking at.” Brad sees this as a positive trend in the third-party risk management industry.
“Third-party risk management may (finally!) be getting more strategic.” Tom knows that IT professionals and compliance professionals understand the gravity of third-party risk but wonders if higher-level executives see it the same way – this is an issue to be dealt with strategically, he points out. Brad explains that 31% of respondents indicated that they were impacted by a third-party data breach. These incidents will cause entire organizations to raise awareness of third-party risk and take it seriously. He remarks, “People from security, people from procurement, people from contract, legal and compliance are trying to understand how they can get a holistic view of this concern around vendor risk to minimize it throughout that vendor life cycle.”
“Manual methods for assessing third parties persist but dissatisfaction runs high.” Unfortunately, most companies are still solely fixated on their IT main vendors and security risks, and they believe that they can simply use manual methods like emails and spreadsheets. However, as your third-party risk management grows, you can no longer successfully use those methods as they “do not examine the risks and remediate those risks with the vendors efficiently.”
“Organizations are concerned with increasingly damaging third-party security incidents but are using disparate tools to detect, investigate and resolve exposures.” Brad says “High profile impactful data breaches are certainly raising awareness of the problem and it’s causing more organizations to monitor third parties for these types of data breaches.” However, the number of successful breaches over the pandemic suggests that organizations are not using established tools to fight the threats.
Full show notes can be found at Compliance Podcast Network.
Resources
Brad Hibbert | LinkedIn | Twitter
Prevalent Inc. | Third-Party Risk Management Study
Brad Hibbert is the Chief Strategy Officer and Chief Operations Officer at Prevalent Inc., a company specializing in eliminating security and compliance exposures tied to third-party vendors and suppliers. Tom Fox welcomes Brad back to this week’s show to explore and discuss a study Prevalent recently released entitled, “The 2022 Third-Party Risk Management Industry Study”.
Third-Party Risk Management Industry Survey
Brad reveals that Prevalent Inc. has been working on the “Third-Party Risk Management Survey” for approximately three years. To gather data on the subject, they send the survey to thousands of professionals who are focused on third-party risk management, and who also have a background in security. When the results come in they are categorized, analyzed, and observed for any trends. Tom asks Brad what was the overall assessment of third-party risk management he determined from the survey. “I think third-party risk management is certainly getting more awareness within companies and within executive teams within companies,” Brad replied. He also noticed that both IT and non-IT risks are major concerns for the respondents.
Key Observations About the State of Third-Party Management Risk Today
Tom asks Brad to further analyze and discuss the key findings of the survey. These are the key observations:
“Organizations are paying more attention to non-IT security risks but not enough.” Brad explains that programs involved in investigating IT threats are starting to acknowledge the non-IT threats as well. He says “It is no longer just about IT vendors, so organizations are trying to get a broader visibility across that broader supply chain of IT vendors and non-IT vendors, and they're also trying to get a broader visibility of the types of risks that they're looking at.” Brad sees this as a positive trend in the third-party risk management industry.
“Third-party risk management may (finally!) be getting more strategic.” Tom knows that IT professionals and compliance professionals understand the gravity of third-party risk but wonders if higher-level executives see it the same way – this is an issue to be dealt with strategically, he points out. Brad explains that 31% of respondents indicated that they were impacted by a third-party data breach. These incidents will cause entire organizations to raise awareness of third-party risk and take it seriously. He remarks, “People from security, people from procurement, people from contract, legal and compliance are trying to understand how they can get a holistic view of this concern around vendor risk to minimize it throughout that vendor life cycle.”
“Manual methods for assessing third parties persist but dissatisfaction runs high.” Unfortunately, most companies are still solely fixated on their IT main vendors and security risks, and they believe that they can simply use manual methods like emails and spreadsheets. However, as your third-party risk management grows, you can no longer successfully use those methods as they “do not examine the risks and remediate those risks with the vendors efficiently.”
“Organizations are concerned with increasingly damaging third-party security incidents but are using disparate tools to detect, investigate and resolve exposures.” Brad says “High profile impactful data breaches are certainly raising awareness of the problem and it’s causing more organizations to monitor third parties for these types of data breaches.” However, the number of successful breaches over the pandemic suggests that organizations are not using established tools to fight the threats.
Full show notes can be found at Compliance Podcast Network.
Resources